Cisco 200-201 Online Practice Questions and Exam Preparation

Cisco 200-201 Online Questions & Answers

• Question 441:

  Refer to the exhibit.

  

  What does this output indicate?

  A. HTTPS ports are open on the server.
  B. SMB ports are closed on the server.
  C. FTP ports are open on the server.
  D. Email ports are closed on the server.
  D. Email ports are closed on the server.

  ---

  Explanation

  445. Port 139 - SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network. Port 445 - Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.

  https://www.varonis.com/blog/smb-port

  SMB Ports 139 and 445 are open Email Ports 25 and 110 are closed.

  Therefore "D. Email Ports are closed on the Server."

• Question 442:

  Refer to the exhibit.

  

  What is occurring?

  A. The mail client is communicating on port 465.
  B. The Seq and Ack numbers are altered
  C. Mail communication is not encrypted.
  D. The SMTP relay service is running.
  C. Mail communication is not encrypted.

  ---

  Explanation

  The exhibit indicates that email traffic is being transmitted in clear text, meaning the contents of the communication are readable without encryption. In network intrusion analysis, this is commonly observed when Simple Mail Transfer Protocol (SMTP) traffic is captured on standard ports such as 25 or 587 without Transport Layer Security (TLS) enabled. Encrypted mail protocols, such as SMTPS on port 465 or SMTP with STARTTLS, protect message contents from being inspected by unauthorized parties. When encryption is not in use, sensitive information such as email headers, message bodies, usernames, and potentially passwords can be exposed to attackers performing packet capture or man-in-the-middle attacks.

  Option A is incorrect because port 465 indicates encrypted SMTPS communication, which contradicts the observed plaintext traffic.

  Option B is incorrect because altered sequence and acknowledgment numbers would indicate session manipulation or injection, not lack of encryption.

  Option D refers to the function of an SMTP relay but does not describe the observed condition in the traffic. Cybersecurity operations fundamentals stress the importance of detecting unencrypted protocols during network analysis, as they represent high-risk exposure points. Identifying plaintext email communication is a key responsibility of SOC analysts and often leads to remediation actions such as enforcing TLS or disabling insecure services.

  Therefore, the correct conclusion is that mail communication is not encrypted, making Option C the correct answer.

• Question 443:

  What are the two characteristics of the full packet captures? (Choose two.)

  A. Identifying network loops and collision domains.
  B. Troubleshooting the cause of security and performance issues.
  C. Reassembling fragmented traffic from raw data.
  D. Detecting common hardware faults and identify faulty assets.
  E. Providing a historical record of a network transaction.
  C. Reassembling fragmented traffic from raw data.
  E. Providing a historical record of a network transaction.

• Question 444:

  A user received an email attachment named "Hr405-report2609-empl094.exe" but did not run it.

  Which category of the cyber kill chain should be assigned to this type of event?

  A. installation
  B. reconnaissance
  C. weaponization
  D. delivery
  D. delivery

• Question 445:

  What is the benefit of processing statistical data for security systems?

  A. detects suspicious behavior based on traffic baselining trends
  B. uses less CPU and RAM resources than metadata-based monitoring
  C. provides fewer false negative events than full packet capture
  D. provides full visibility based on capture of packet traffic data
  A. detects suspicious behavior based on traffic baselining trends

• Question 446:

  Refer to the exhibit.

  

  A network engineer is analyzing a network activity within captured traffic. An engineer notices suspicious behavior, a type of ICMP that Wireshark does not recognize.

  What is occurring?

  A. These are failed communication attempts because ICMP communication is administratively prohibited.
  B. These are responses from destination because the destination network is unreachable for this type of service.
  C. Wireshark cannot map the type of ICMP requests because they are not legitimate ICMP echo requests.
  D. Wireshark cannot map the type due to fragmentation, and fragment ID was not set on the destination host.
  B. These are responses from destination because the destination network is unreachable for this type of service.

• Question 447:

  Refer to the exhibit

  

  A penetration tester runs the Nmap scan against the company server to uncover possible vulnerabilities and exploit them.

  Which two elements can the penetration tester identity from the scan results? (Choose two.)

  A. UIDs and group identifiers
  B. number of concurrent connections the server can handle
  C. running services and applications
  D. server uptime and internal clock
  E. server purpose and functionality
  C. running services and applications
  E. server purpose and functionality

• Question 448:

  What is a difference between inline traffic interrogation and traffic mirroring?

  A. Inline inspection acts on the original traffic data flow
  B. Traffic mirroring passes live traffic to a tool for blocking
  C. Traffic mirroring inspects live traffic for analysis and mitigation
  D. Inline traffic copies packets for analysis and security
  A. Inline inspection acts on the original traffic data flow

  ---

  Explanation

  Inline traffic interrogation analyzes traffic in real time and has the ability to prevent certain traffic from being forwarded Traffic mirroring doesn't pass the live traffic instead it copies traffic from one or more source ports and sends the copied traffic to one or more destinations for analysis by a network analyzer or other monitoring device

• Question 449:

  Which technique is used by attackers to disguise malicious traffic as legitimate traffic?

  A. encryption
  B. fragmentation
  C. tunneling
  D. hashing
  C. tunneling

  ---

  Explanation

  Tunneling is a technique used to encapsulate one type of traffic within another protocol, allowing attackers to disguise malicious activity as legitimate traffic. For example, malware may tunnel data over HTTP or DNS to bypass security controls. Encryption (A) protects data but does not inherently disguise its nature. Fragmentation (B) splits packets but does not conceal intent. Hashing (D) is used for data integrity. Tunneling is commonly used in advanced persistent threats (APTs) to evade detection. Detecting tunneling requires analyzing traffic patterns, protocol anomalies, and unusual payload sizes. Security tools such as DPI and behavioral analysis are often used to identify tunneling activity.

• Question 450:

  What is the relationship between a vulnerability and a threat?

  A. A threat exploits a vulnerability
  B. A vulnerability is a calculation of the potential loss caused by a threat
  C. A vulnerability exploits a threat
  D. A threat is a calculation of the potential loss caused by a vulnerability
  A. A threat exploits a vulnerability